Using Powershell to back up GPO Links

Currently at my workplace, our GPO’s are backed up every now and then using a manual process via the GPMC.  I decided it was time to automate this process and I found out a few interesting discoveries which I thought I would share here.

Backing up all of the GPO’s is very easy in Powershell and it’s been documented a billion times all over the Internet:

Backup-GPO -Path C:\GPOBackups -All

Setting this up as a scheduled task completed the job nicely.

The tricky part was backing up the GPO Links.  In my environment there are a lot of GPO’s that are linked to a myriad of OU’s throughout our Organisation.  In the event of a disaster I want an easy method of seeing what these links were and an automated method of not only restoring the GPO’s but also re-creating the links.  What follows is the first part of my journey…

I went with the cmdlet Get-GPOReport for this.  First of all I ran it and generated an HTML report to see what it contained:

Get-GPOReport -GUID 42917962-6bfd-4d17-ade0-bfe411245bef -Path C:\GPOReport.html -ReportType html

The information presented included the GPO links – perfect:

htmlLinks

The next  step was to script it and set it up as a scheduled task that would run alongside my backup GPO task.  My criteria was to create a separate report for each GPO and name the report after the name of the GPO along with the date that the report was run.  I also decided to export the report as XML as this would give me greater flexibility later on and help me achieve my ultimate goal:

get-gpo -all | % $_ {Get-GPOReport -Guid $_.id -Path "c:\GPOBackups\Reports\$($_.displayname) $(get-date -Format "dd-MM-yy").xml" -ReportType xml}

I can now easily interrogate the xml for any info I need – for example, to see the GPO Links for a specified GPO:

$Path = 'c:\GPOBackups\reports'
$GPOXML = [xml](Get-Content "$path\Set Desktop Wallpaper 04-06-15.xml")
$GPOXML.GPO.LinksTo

Which displays the following info:

the Links

If I wanted the GUID I could further query the xml by adding the following:

[string]$GPOGUID = $GPOXML.gpo.Identifier.Identifier.InnerText
#Clean up the GUID...
$GPOGUID = $GPOGUID.Trim("{,}")

And If I wanted the GPO name:

$GPOName = $GPOXML.gpo.Name

You get the idea…

I now have all of the information I need and automated measures in place to write a script that would restore all or some of my GPO’s,  including the links,  in the event of a disaster. (But that’s a post for another day!)

If there’s a better \ simpler method then let me know as I’m still on my Powershell learning journey!

Be the first to comment

Leave a Reply